Handling Secrets in Microservices

As we discussedrecently , microservices are being adopted widely across organizations and industries for their ability to increase service delivery and speed time to market while decreasing team overhead. As organizations begin traveling down the path to a microservices architecture , one hurdle that they often run into is secret management. For, as the number of microservices increase, so too do the number of credentials—often exponentially so—creating a need for effective and efficient management.

What is a Secret?

Secrets are credentials like API-keys, passwords, SSH-keys, etc. that a service needs to authenticate and communicate with other services, with cloud infrastructure, traditional infrastructure such as an Oracle database, or an external SaaS payment gateway. As the number of microservices increase, it’s easy to see how the number of secrets can increase along with them. And, with the proliferation of microservices, it becomes increasingly impractical to manage and control the number of credentials manually.

Credential Management

At the end of the day, there are two approaches to credential management: distributed and centrally automated.

Distributed management provides each individual team access to their needed credentials. In addition to being manual, the downside to a distributed approach is that it lacks separation of control with the same people who have password access often being the same developers who write code. This introduces unnecessary risk into the environment.

Centrally automated management is a credential management system in which security is treated as a first class citizen. Automated credential management systems encourage a Security by Design approach to building microservices environments, giving developers powerful tools to automate secret management from day one while providing critical separation of duties.

Hashicorp Vault

Vault is a great example of an automated management system, and one that our microservices experts often use as we build new environments for our customers using Security by Design principles. Vault provides an interface to static secrets in encrypted form as well as dynamic secrets with tight security controls. Vault can dynamically create secrets for things like passwords or keys generating them automatically and on demand. Dynamic secret creation addresses two issues:

They expire in a defined period of time greatly decreasing their value if leaked. If a password were leaked from a traditional LDAP or AD system, for example, an unauthorized user could potentially do a great deal of damage with it. However, if an unauthorized user were to get their hands on a dynamically created password with a 60 second shelf life, the window of opportunity is incredibly small. Further, with this approach, passwords cannot be re-used; even within the lease period, they are a one-time use only.

As an example, with Vault, developers can avoid hard coding AWS credentials into their code. Instead when an application needs access, it queries Vault for credentials which are generated on-demand. In this case the lease may be as low as 60 seconds and have specific conditions attached.

Vault creates a detailed audit log that tracks the use of dynamic passwords, with details on when the password was used, the amount of time the user was in the server, who used the password, for what application and more. Understandably, security teams greatly appreciate this level of insight and oversight.

Ideal Security Framework

The AWS experts at Flux7 see a growing demand from organizations for automated, centralized credential management. The demand is being driven from CISOs down through the rest of the organization for a security framework for both employee and machine-driven credentials; Vault secrets management for microservices directly addresses this framework while encouraging a Security by Design approach. We are proud to be a HashiCorp Vault partner delivering this much needed value to the enterprise.

For example, we recently worked with a Fortune 1000 financial service industry firm to secure its AWS and SSH credentials using the Vault SSH Secret backend. The SSH backend dynamically generates SSH credentials for remote hosts, thus increasing security by removing the need to share private keys with all users needing access to infrastructure.

While you might imagine that financial services and other industries that have sensitive data are lining up to manage secrets in this way, we see organizations across the spectrum looking to ensure the security of their intellectual property, customer data, and more. There are simply no dividing lines when it comes to increasing security and taking a best-in-class approach to managing static and dynamic secrets.

For example, we recently concluded a successful secrets management project for a marketing analytics startup who needed to manage a large amount of credentials dynamically.Working with them we established a Vault-powered secrets mechanism to secure the passwords for their services.

Similarly, we recently partnered with a large electronic health record company that needed to ensure HIPAA compliance of its cloud-based data. Microservices provided this organization with greater agility and the ability to innovate at the speed of market change. And, with an efficient management system for secrets, its CISO was secure in the knowledge that the firm’s services credentials were secure and met regulatory thresholds.

Microservices provide a wide variety of benefits for organization, most notably of which is increased ability to pivot quickly in response to market needs and greater agility in bringing innovation to market quickly. In the process, however, security needs to be designed and built into the system, including effective secret management.

With automated, centralized secret management, security is treated as a first-class citizen. Is your organization looking to gain competitive advantage with microservices but doesn’t want to leave security behind in the process? If so,reach outto us today. Our award-winning consultants are happy to share how our secret management best practices can benefit your organization.